Your submission was sent successfully! Close

You have successfully unsubscribed! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates about Ubuntu and upcoming events where you can meet our team.Close

USN-5844-1: OpenSSL vulnerabilities

7 February 2023

Several security issues were fixed in OpenSSL.

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Releases

Packages

  • openssl - Secure Socket Layer (SSL) cryptographic library and tools

Details

David Benjamin discovered that OpenSSL incorrectly handled X.400 address
processing. A remote attacker could possibly use this issue to read
arbitrary memory contents or cause OpenSSL to crash, resulting in a denial
of service. (CVE-2023-0286)

Corey Bonnell discovered that OpenSSL incorrectly handled X.509 certificate
verification. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. This issue only
affected Ubuntu 22.04 LTS and Ubuntu 22.10. (CVE-2022-4203)

Hubert Kario discovered that OpenSSL had a timing based side channel in the
OpenSSL RSA Decryption implementation. A remote attacker could possibly use
this issue to recover sensitive information. (CVE-2022-4304)

Dawei Wang discovered that OpenSSL incorrectly handled parsing certain PEM
data. A remote attacker could possibly use this issue to cause OpenSSL to
crash, resulting in a denial of service. (CVE-2022-4450)

Octavio Galland and Marcel Böhme discovered that OpenSSL incorrectly
handled streaming ASN.1 data. A remote attacker could use this issue to
cause OpenSSL to crash, resulting in a denial of service, or possibly
execute arbitrary code. (CVE-2023-0215)

Marc Schönefeld discovered that OpenSSL incorrectly handled malformed PKCS7
data. A remote attacker could possibly use this issue to cause OpenSSL to
crash, resulting in a denial of service. This issue only affected Ubuntu
22.04 LTS and Ubuntu 22.10. (CVE-2023-0216)

Kurt Roeckx discovered that OpenSSL incorrectly handled validating certain
DSA public keys. A remote attacker could possibly use this issue to cause
OpenSSL to crash, resulting in a denial of service. This issue only
affected Ubuntu 22.04 LTS and Ubuntu 22.10. (CVE-2023-0217)

Hubert Kario and Dmitry Belyavsky discovered that OpenSSL incorrectly
validated certain signatures. A remote attacker could possibly use this
issue to cause OpenSSL to crash, resulting in a denial of service. This
issue only affected Ubuntu 22.04 LTS and Ubuntu 22.10. (CVE-2023-0401)

Reduce your security exposure

Ubuntu Pro provides ten-year security coverage to 25,000+ packages in Main and Universe repositories, and it is free for up to five machines.

Learn more about Ubuntu Pro

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.10
Ubuntu 22.04
Ubuntu 20.04
Ubuntu 18.04

After a standard system update you need to reboot your computer to make all
the necessary changes.

References

Related notices

  • USN-6564-1: nodejs, nodejs-doc, libnode72, libnode-dev
  • USN-5845-1: libssl1.0-dev, openssl1.0, libssl1.0.0
  • USN-5845-2: openssl, libssl-doc, libssl-dev, libssl1.0.0

Join the discussion

Need help with your security needs?

Ubuntu Pro provides up to ten-year security coverage for over 23,000 open-source packages within the Ubuntu Main and Universe repositories.

Talk to an expert to find out what would work best for you

Further reading